Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
GlassWorm Campaign Targets Developer IDEs with Zig Dropper

GlassWorm Campaign Targets Developer IDEs with Zig Dropper

Posted on April 10, 2026 By CWS

Cybersecurity experts have identified new tactics in the ongoing GlassWorm campaign, which is utilizing a novel Zig dropper to covertly compromise integrated development environments (IDEs) on developer systems.

Discovery in Open VSX Extension

The campaign’s latest tactic was uncovered within an Open VSX extension known as “specstudio.code-wakatime-activity-tracker.” This extension mimics WakaTime, a widely-used tool for tracking programming time in IDEs. The extension has been removed from download platforms.

Aikido Security researcher Ilyas Makari highlighted that the extension incorporates a Zig-compiled native binary alongside JavaScript code. This approach is not new for GlassWorm, which has previously employed native code in its extensions. However, this binary serves as a stealthy intermediary for the GlassWorm dropper, enabling it to undetectably infect additional IDEs on the machine.

Impacts on Developer Tools

The compromised Microsoft Visual Studio Code (VS Code) extension closely resembles WakaTime, except for modifications in the “activate()” function. Upon installation, it deploys a binary named “win.node” on Windows or “mac.node” on macOS, depending on the operating system.

These Node.js native addons, written in Zig, operate outside the JavaScript environment with full system-level access. Their primary function is to identify all IDEs compatible with VS Code extensions, including Microsoft VS Code, VS Code Insiders, VSCodium, and others, some of which are AI-enhanced coding tools.

Malicious Extension Deployment

Once identified, the binary downloads a malicious VS Code extension (.VSIX) from a GitHub account controlled by attackers. Named “floktokbok.autoimport,” this extension poses as “steoates.autoimport,” a legitimate tool with over 5 million installations.

In the final stage, the .VSIX file is temporarily stored and discreetly installed into every IDE using each editor’s command-line installer. This secondary VS Code extension serves as a dropper, avoiding execution on Russian systems, connecting to the Solana blockchain for command-and-control server information, and exfiltrating sensitive data. It also installs a remote access trojan (RAT) that deploys a data-stealing Google Chrome extension.

Protective Measures and Recommendations

Developers who have installed “specstudio.code-wakatime-activity-tracker” or “floktokbok.autoimport” should assume their systems are compromised and immediately rotate all security credentials.

Staying informed about such threats is crucial for maintaining cybersecurity in development environments. Regularly updating software and extensions, alongside vigilant monitoring for suspicious activities, can help mitigate risks posed by campaigns like GlassWorm.

The Hacker News Tags:Blockchain, Cybersecurity, developer security, GlassWorm, Google Chrome extension, IDE infection, Malware, remote access trojan, VS Code, Zig dropper

Post navigation

Previous Post: Critical Juniper Networks Flaw Exposes Devices to Attacks
Next Post: Juniper Networks Fixes Critical Junos OS Security Flaws

Related Posts

Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts The Hacker News
Why SOC Burnout Can Be Avoided: Practical Steps Why SOC Burnout Can Be Avoided: Practical Steps The Hacker News
Shield Your SaaS from Bot Threats with SafeLine WAF Shield Your SaaS from Bot Threats with SafeLine WAF The Hacker News
Revolutionizing Network Detection with AI-Driven NDR Revolutionizing Network Detection with AI-Driven NDR The Hacker News
AryStinger Malware Targets Legacy Routers for Proxy Network AryStinger Malware Targets Legacy Routers for Proxy Network The Hacker News
Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft’s AI Strategy Enhances Vulnerability Detection
  • Cloud Bucket Hijacking and Global Fraud: Key Cybersecurity Threats
  • AssuranceAmerica Data Breach Affects Millions’ Personal Data
  • npm 12 Enhances Security by Disabling Install Scripts
  • Maximizing Threat Intelligence for Effective SOC Operations

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark